Vega allows Cross-site Scripting via the vlSelectionTuples function
The vlSelectionTuples function can be used to call JavaScript functions, leading to XSS.
Advisories for Npm/Vega package
2025
2023
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in vega.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in vega.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in vega.
2020
Cross-site Scripting
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execute arbitrary javascript on a victim's machine.